The evolution of Web 2.0 services and the parallel world of cybercrime is driving up the value of stolen credentials. That is the price that criminals charge each other for stolen user login information. The price of a file of user credentials, aka a `dump’ depends on the Internet service(s) where they can be used, Amichai Shulman, CTO of Imperva told Help Net Security.
Imperva CTO Shulman told Net Security, “Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters … there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application and the popularity of the account in question.”
The value of stolen credentials
This is illustrated by the ‘going rate’ of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account. As a service, Hotmail has fallen out of favor, while Gmail’s all-around flexibility means it is a central service for business users, Mr. Shulman said. The result is that Gmail credentials can also give access to a range of Google cloud services. The vulnerable services including Google Docs and Adword accounts. Mr. Shulman explained that Google Docs can contain valuable additional information on the legitimate owner. Furthermore, an Adwords account can allow criminals to manipulate existing and trusted search engine results.
It is a similar story with Twitter accounts. The added dimension of the immediacy of a social networking connection said, Mr. Shulman. “Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said. This happens because users are reusing passwords on other sites Some of those other sites turn out to have not been secure.
That’s the thing; as soon as any of the sites you log in to gets compromised, the email address or username and password associated with it can be tried by the bad guy on various other services. Since most people re-use passwords, there’s a high likelihood that they will gain access to your account. From there, who knows what kind of damage they might cause. If you’re lucky, you’ll notice something’s amiss. Twitter advised that people are continuing to use the same email address and password (or a variant) on multiple sites. We strongly suggest that you use different passwords for each service you sign up for.
Stolen online banking credentials
In a related article, Trusteer reports that most online banking customers reuse their login credentials on non-financial websites. Trusteer found that 73% of bank customers use their banking account passwords to access much less secure websites. They also found that 47% use both their online banking user ID and password to log in elsewhere on the Internet.
Cybercriminals are exploiting the widespread reuse of online banking credentials. These criminals have devised various methods to harvest login credentials from less secure sources, such as webmail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.
The report’s key findings include:
- 73% of users share the passwords which they use for online banking, with at least one nonfinancial website.
- 47% of users share both their user ID and password with at least one nonfinancial website.
- When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites.
- When a bank chooses the user ID for its customers, 42% use the bank-issued user ID with at least one other website.
“Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”
“If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is. Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” Shulman told Help Net Security.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
